On Windows 10, "Controlled folder access" is a new intrusion-prevention feature that's part of the Windows Defender Exploit Guard included in the Fall Creators Update.

Controlled folder access is designed primarily to prevent ransomware from encrypting and taking your data hostage, but it also protects files from unwanted changes from other malicious programs.

It's an opt-in feature, and when enabled, it uses a mechanism to intelligently track the apps (executable files, scripts, and DLLs) trying to make changes to files in the protected folders. If the app is malicious, or it's not recognized, the feature will in real-time block the attempt, and you'll get a notification of the suspicious activity.

How to enable Controlled folder access using Security Center

The easiest way to enable and configure Controlled folder access is to use the Windows Defender Security Center dashboard. Here's how:

Open Windows Defender Security Center.

Click on Virus & threat protection.

Click the Virus & threat protection settings option.

Turn on the Controlled folder access toggle switch.

Once you complete the steps, Windows Defender Antivirus will continuously protect your files and folders from unauthorized access by malicious programs like ransomware.

Adding new locations

By default, this feature guards the Documents, Pictures, Videos, Music, Desktop, and Favorites folders. While you can't alter the default list of protected folders, if you have files stored in a different location, you can add the new drive or folder path manually. Here's how:

Open Windows Defender Security Center.

Click on Virus & threat protection.

Click the Virus & threat protection settings option.

Under "Controlled folder access," click the Protected folders link.

Click the Add a protected folder button.

Navigate to the new location you want to add and click the Select folder button.

If your storage configuration changes and you need to remove a folder location, you can follow the same steps, but on step No. 5, select the location and click the Remove button.

Allowing specific apps

Controlled folder access should be smart enough to detect which apps can safely access your files, but it the case an app you trust is blocked, you'll need to allow the app manually. This is how to do it:

On the right side, double-click the Configure Controlled folder access policy.

Select the Enabled option.

Under "Options," select the Block option using the drop-down menu.

Click Apply.

Click OK.

Once you complete the steps, the security feature will guard your files and folders stored in the default locations.

The only caveat of using this method is that any other configuration will have to be changed using Group Policy. If you open Windows Defender Security Center, you'll notice the "This setting is managed by your administrator" message and the Controlled folder access option will appear grayed out.

At any time, you can revert the changes following the same steps, but on step No. 5 select the Not Configured option.

Adding new locations

In the case you must protect files and folders located in a different folder, you can use the "Configure protected folders" policy to add the new location. Just follow these steps:

Wrapping things up

Controlled folder access is one of the intrusion prevention features of Windows Defender Exploit Guard, which is part of the Windows Defender Antivirus. This means the feature won't be available if you use a third-party antivirus solution.

More Windows 10 resources

For more helpful articles, coverage, and answers to common questions about Windows 10, visit the following resources: